The Securities and Exchange Commission’s (SEC or Commission) Office of Compliance Inspections and Examinations (OCIE) announced in a September 15, 2015 Risk Alert (2015 Risk Alert) that it will be conducting a second round of examinations of broker-dealers and investment advisers, focused on cybersecurity.1 One week later, the SEC’s Enforcement Division announced the settlement of an enforcement proceeding against an investment adviser for failing to establish adequate cybersecurity policies and procedures, as required under Regulation S-P.2
The announcement of the second round of OCIE cybersecurity exams and the recent enforcement action are strong signals that the SEC remains focused on evaluating the cybersecurity policies and procedures adopted by investment advisers and broker-dealers. While the first round of OCIE exams appeared to be more focused on inventorying the particular cybersecurity policies and practices that firms had adopted, the sample information request included in the 2015 Risk Alert indicates that the SEC will now focus on the implementation and operation of cybersecurity policies and procedures. The enforcement proceeding indicates that firms may be subject to regulatory enforcement for failure to adopt adequate cybsecurity policies and procedures, even in the absence of financial harm to investors.
The Commission’s Continued Emphasis on Cybersecurity
Cybersecurity remains a priority for the Commission and its staff. Commission Chair Mary Jo White recently called cybersecurity a “key priority area” for the Commission.3 Earlier this month, Commissioner Kara Stein similarly signaled this issue’s importance, when she noted that “cybersecurity has become one of the most significant issues affecting investors, corporate issuers, and financial institutions – really just about everyone in the financial marketplace.”4 Likewise, Commissioner Luis Aguilar commented earlier this year that “it is not an overstatement to say that cybersecurity is one of the defining issues of our time.”5
Such intense and pointed remarks from multiple commissioners should make clear to industry compliance professionals that the issue remains front of mind for the Commission.6 In light of the heightened regulatory attention, compliance teams at investment advisers and broker-dealers should take note.
Background on Round Two of the OCIE Cybersecurity Examinations
In March 2014, the Commission sponsored a cybersecurity roundtable, after which OCIE announced that it would conduct an initial round of cybersecurity examinations (2014 Risk Alert).7 OCIE subsequently examined 57 broker-dealers and 49 investment advisers. In February 2015, OCIE published the results from these examinations. Notably, OCIE found that most of the entities examined had directly or indirectly been the target of a cyber-attack.8 OCIE’s second round of cybersecurity examinations has been expected since early 2015.9
OCIE’s 2015 Cybersecurity Examination Initiative
In the 2015 Risk Alert, OCIE announced that in this round of examinations it will focus on six areas: (i) governance and risk assessment; (ii) access rights and controls; (iii) data loss prevention; (iv) vendor management; (v) training; and (vi) incident response. In addition to providing the areas of focus, OCIE provided a set of sample requests for information. The sample list of requests is instructive, and provides helpful insight into what measures the Staff may expect firms to have taken to secure customer data.
Importantly, the 2015 Risk Alert and the sample inquiries indicate that OCIE expects each firm to have implemented more than a generic, cookie-cutter cybersecurity policy. Firms should actively analyze their particular risk profiles, and implement a policy specifically designed to address their relevant risks. In doing so, firms should consider internal as well as external risks.
The process of tailoring cybersecurity policies and procedures to a firm’s particular needs should not be a one-time endeavor. Indeed, the 2015 Risk Alert suggests that an effective plan involves the regular monitoring and analysis of potential risks including the risks arising from employees and vendors who inadvertently compromise the security of sensitive information. Firms should also consider implementing systems to actively document new risks, so that the firm’s program can keep pace with ever-evolving threats.
The 2015 Risk Alert also makes clear that merely adopting a policy, but failing to effectively implement and monitor that policy, is insufficient. Importantly, implementation of an effective cybersecurity plan should include an incident response plan to address what will happen if data is compromised, including processes to document the firm’s response and the extent of the impact on the firm and its clients.
In addition, as compared to OCIE’s 2014 Risk Alert, the 2015 Risk Alert highlights OCIE’s concern with the increased risk that firms may face if they fail to implement “basic controls.” To address this issue, the sample requests attached to the 2015 Risk Alert seek specific information regarding the technologies and technical processes firms have in place to protect customer information. For example, the 2015 Risk Alert indicates that OCIE may request information about a firm’s use of multi-factor authentication, the remote de-activation of devices, and penetration testing.
Importantly, the 2015 Risk Alert notes that “[t]he adequacy of supervisory, compliance and other risk management systems can be determined only with reference to the profile of each specific firm[.]” It is clear that the OCIE examiners will be looking for evidence of a cybersecurity plan that addresses the risks based on a firm’s own risk profile. In fact, the 2015 Risk Alert cautions that the enumerated items of emphasis are not exclusive, and that examiners may select additional areas on which to focus, based on the risks identified in the course of the examinations.
Recent Cybersecurity Enforcement Highlights the Importance of Proactively Assessing Risks and Tailoring a Cybersecurity Program to Those Risks
In a recent settled enforcement proceeding, In the Matter of R.T. Jones Capital Equities Management, Inc.10 (R.T. Jones Order), the Staff alleged that an SEC-registered investment adviser failed to adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (Safeguards Rule).
According to the Staff, from at least September 2009 through July 2013, the adviser stored sensitive personally identifiable information (PII) of clients and others on a third-party-hosted web server “without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access.” Then, in July 2013, the web server was attacked by an “unauthorized, unknown intruder,” and as a result, “sensitive data of more than 100,000 individuals, including thousands of [the adviser’s] clients, was rendered vulnerable to theft.” The adviser “promptly retained more than one cybersecurity consulting firm to confirm the attack and assess the scope of the breach,” but neither firm could determine whether the sensitive data stored on the server had been accessed or compromised during the breach. Shortly thereafter, the adviser provided notice of the breach to all individuals whose sensitive data may have been compromised. The adviser agreed to pay a $75,000 penalty, and took remedial steps to improve its cybersecurity program after the attack.11 It is important to note that the apparent trigger for the SEC’s enforcement action was the adviser's failure to adopt written policies and procedures that were reasonably designed to protect customer records and information, and there was no indication that a client had suffered actual financial harm as a result of the incident.
The R.T. Jones Order highlights the importance of oversight of third-party web services and tailoring cybersecurity policies and procedures to a firm’s particular business, indicating that firms cannot simply adopt cookie-cutter policies and procedures and then take swift action to remedy a breach if one occurs. Indeed, the Commission alleged that, “[t]aken as a whole, [the adviser’s] policies and procedures ... were not reasonable to safeguard customer information.” For example, while the adviser kept customer PII on a web server, the SEC noted that the adviser both failed to employ a firewall to protect the server and failed to encrypt the PII stored on the server. In addition, even though the Commission acknowledged that the adviser “promptly” took certain steps to address the breach, the Commission noted that the adviser had failed to establish procedures for responding to a cybersecurity incident and also did not conduct periodic risk assessments.
The R.T. Jones Order underscores that investment advisers and broker-dealers may face regulatory scrutiny and enforcement actions even without a concrete, identifiable financial impact to clients. Indeed, the Order notes that, to date, the adviser has not learned that any client has suffered financial harm as a result of the attack. Moreover, in announcing the settlement, the Co-Chief of the Enforcement Division’s Asset Management Unit explained that “it important to enforce [Regulation S-P] even in cases like this when there is no apparent financial harm to clients.”12
The continued focus on cybersecurity by the SEC signals that the importance of this issue for the financial sector continues to grow. In particular, it is likely there will be a notable increase in cybersecurity-related enforcement. Commissioner Aguilar stated earlier this year that “the SEC has been proactively examining how it can bring more cybersecurity enforcement actions using its existing authority, and how that authority might need to be broadened to meet emerging cybersecurity threats.”13
Commission Chair White has made clear that “[the SEC] publish[es] these risk alerts, in part, so that compliance professionals can evaluate controls and procedures in these areas and make proactive improvements as appropriate.”14 Like the 2014 Risk Alert, the 2015 Risk Alert provides an opportunity for investment advisers and broker-dealers to evaluate current efforts to deal with cyber threats, including whether current policies are effectively implemented, whether that implementation is actively monitored and documented, and whether – in light of the 2015 Risk Alert – the Staff may expect more.